Bogleheads.org

[squirm]

What are some ways to prevent someone from getting into or stealing money from my bank and broker accounts?

I have always had a linked savings and checking account. However, now I'm wondering if that is a good idea. I do transfer a lot of transfer between the accounts, however is it a good idea to have overdraft protection? I'm afraid someone might be able to get a hold of a old check that has the routing and account number and drain my savings account. I keep much more $ in my savings, then checking. There was only one time in the last ten years that I have had to use over-draft protection, if that is any help. But what about moving money between the two accounts?

Also what about online brokerage accounts? I have several spread over different firms. I keep my computer up to date with anti-virus and OS system updates, but what about the passwords? Do you use a different password for different brokers if you have more than one? What about an online password system, such as Lastpass? Someone told me they use that service and are happy with them.

BTW, I also shred all my account statements.

Thanks in advance for your replies.

[CaliJim]

however is it a good idea to have overdraft protection?

I turned overdraft off and only keep a month's worth of money in my checking account at any given time

Do you use a different password for different brokers if you have more than one?

ABSOLUTELY. YOU SHOULD USE DIFFERENT PASSWORDS EVERYWHERE. You should use different passwords for every online account you have (itunes, netflix, gmail, amazon, bogleheads...)

What about an online password system,

I keep my passwords in a KeePass database. I keep my KeePass database on a USB drive, with a hardcopy printout in a file drawer.

I have a 16 character password to get into the KeePass file. I unplug the USB drive except when I need it.

I use 20 character, KeePass system generated passwords for all my financial accounts. I don't even bother to memorize them. I just cut and paste them from my KeePass application. I do not store financial passwords in browser (firefox) based password vaults.

[Rupert]

You might also consider using a different browser and a different email address for your sensitive accounts. Google's Chrome is probably the safest browser at the moment. Install it and use it only for accessing your financial accounts. Use another browser, such as Firefox, to do your general Internet surfing and on-line shopping. Also create a secret email account just for communications to/from your financial services providers. Don't give out that address to anyone else for any purpose.

You should un-link your checking and savings account in my opinion. If you're a Boglehead, I doubt you bounce a lot of checks. So why do you need that?

[johnep]

You might also consider using a different browser and a different email address for your sensitive accounts. Google's Chrome is probably the safest browser at the moment. Install it and use it only for accessing your financial accounts. Use another browser, such as Firefox, to do your general Internet surfing and on-line shopping. Also create a secret email account just for communications to/from your financial services providers. Don't give out that address to anyone else for any purpose.

You should un-link your checking and savings account in my opinion. If you're a Boglehead, I doubt you bounce a lot of checks. So why do you need that?

+1
Excellent advice. Also setup strong passwords for your financial, each unique. This is a little bit of a pain but effective. I have heard that at least one of these password services has been hacked. that makes me nervous so I have avoided to date.

[DaveS]

I have a secure computer and an insecure computer. The secure one goes to the bank and brokerage, and court sites - I am a lawyer. The other computer surfs the web, e-mails everything else. There is no relationship between my passwords for secure sites and other passwords. I have the passwords written down but they don't identify any site. You don't want a burglar to be able to steal your passwords. I change the passwords at least once a year. Passwords need to be a mix of numbers letters and punctuation marks. Including the latter greatly increases the difficulty of breaking them. Dave

[stlutz]

As has been discussed on other threads, using false answers to "security questions" (which you'll then need to keep track of on paper or in a KeePass database) is also important. Anyone can figure out where you went to high school. So, if your mascot was the bears, make the security answer something else. Then, use different answers to the same question for other accounts.

On the e-mail accounts, you could take it one step further an have a separate e-mail address for each financial account. If someone hacks into one account, they are then only aware of that single relationship, not all of the firms you do business with.

Or, you could be less paranoid about the whole thing and only do business with firms that have a liberal security guarantee.

[Epsilon Delta]

I have the passwords written down but they don't identify any site. You don't want a burglar to be able to steal your passwords.

Not writing the sites is not much of an obstacle. Most people either use the same username at all sites or include them on the password list. Trying all the possibilities at the 20 locally biggest banks, a bunch of legal related sites and a few national firms is likely to get some hits and it won't trigger alarms because each username is tried only once at any particular site.

[Jerilynn]

I have a secure computer and an insecure computer.

Maybe the insecure one just needs therapy?

[OldOne]

Maybe the insecure one just needs therapy?

Didn't work for you did it?

[cbeck]

Don't start by analyzing the security of your computer. Start by identifying where the risk arises. Overwhelmingly (97%?), the risk of having your account hacked arises on the systems of the institution, not your personal computer. Also, the obligation acknowledged by brokerage firms to make you whole for a loss to your brokerage account is much less clear than it is for banks and credit cards. Therefore the significant risk is at the institution. You will never have to skill or information necessary to assess how effectively any institution manages that risk to your assets. It follows from these facts that the most important step you can take in securing your assets is to divide them between institutions, i.e. do not put it all at Vanguard however convenient that might make your daily life.

After that, by all means, follow the best practices you read about for managing your login credentials: long, randomly-selected passwords that are unique and change often, etc. etc.

[Jerilynn]

Maybe the insecure one just needs therapy?

Didn't work for you did it?

Not yet.
Touche.

[BlueEars]

You will see conflicting advice on this, I fear.

We can all agree on strong passwords.
For financial sites, use unique passwords and logins.
My opinion, only deal with the minimum number of institutions you can get down to. Then make those dealings as solid as possible.
Do not use on-line email for dealing with financial institution's critical communications.
Be aware of scam methods - some paranoia is appropriate regarding money.
Keep your computer up to date. Good anti-virus, Secunia for checking software updates.

[Sunny Sarkar]

I got to thinking about this recently and decided to enforce the following steps:

Secure the email account first. "You are only as safe as your email is". Every other account's security setup funnels into the email account (password resets, user-id resets, account verification, etc.). On top of the usual long complex passwords, something like Gmail's 2-step authentication that sends single use codes to the phone every time is imperative.**

Use LastPass to generate & manage long random complex passwords, a separate one for each account. Use random user-ids also, since LastPass is managing that as well. 2-step authentication for LastPass too, obviously.

Enforce additional security steps like Vanguard's security questions during login, but use wrong answers to prevent social engineering (for example: if your actual pet's name is Jackie, use Rocky as the answer to the security question "what is your favorite pet's name?").

Use Google Chrome incognito mode: Chrome is apparently the safest browser among the top 4 - IE, Firefox, Chrome, Safari. Changed the settings so that all cookies must be deleted every time the browser is exited even when not using incognito mode.

Use Linux instead of Windows whenever possible. Installed Ubuntu alongside Windows, and choose Ubuntu when planning to just go online and use a browser. Thinking about a $249 Chromebook since 90% of my computer usage at home is browsing the internet on a browser only.

---

** Regarding email security, I went one step farther. I bought my own domain ($12/yr) and implemented free Google Apps to use Gmail. This gave me a separate admin/root/superuser login that I can use to reset the password of my regular email account if it gets hacked.

[Phineas J. Whoopee]

Hi BlueEars,

You will see conflicting advice on this, I fear. ...

Indeed. I'm afraid I'm about to give some right now.

... My opinion, only deal with the minimum number of institutions you can get down to. ...

There's the conflict.

Hi Squirm,

You've received great advice in answer to your question on preventing access and theft, and I take most of those precautions myself. I'd like to add some points about limiting damage in the event your security is compromised anyway.

Although I don't say anyone should excessively proliferate accounts, I make a point of keeping deposits, borrowings, and investments at separate institutions.

My reasoning is it would be easiest for a thief to steal my checking account or credit card numbers. Therefore I do what I can to limit how much they might be able to take, even if eventually I would be reimbursed.

I have my checking account at an online bank, and I like to keep a savings account next to it to avoid any temporary liquidity issues. Like you I keep little in checking. I do have the accounts linked for overdraft protection. The way I minimize danger is to keep my balances there strictly limited, so the most anyone could steal is not very much. This bank offers two-factor authentication, so its is the only financial website I ordinarily access while traveling. That protects me from key loggers. I am still vulnerable to man-in-the-middle attacks, so there are no links to other accounts where I have assets. For good measure, I also maintain a secondary no-fee checking account at a small local brick-and-mortar thrift. Such local financial institutions have their own advantages.

My CDs and main savings account are at another, higher yielding bank where I have no transaction account to be compromised. From it I can transfer funds to checking, which takes three business days.

My credit cards are elsewhere, because sometimes in the event of a dispute a credit card issuer can seize money from deposit accounts one holds with them. I've never been in a dispute, but this way they would have to use formal legal process to access my assets.

My non-CD investments are at Vanguard, Treasury Direct, and a 401(k) provider. Vanguard and TD know my checking account number, but as said by others, what could anybody do but sell my assets and send the proceeds to me? One can also instruct Vanguard in writing to disallow any transfers out. You can still transfer in, and rebalance within your accounts. To rescind the order takes another letter. Transfers from my 401(k) can only be made via signed pieces of physical paper.

Operationally, I log in to each account weekly. While I'm there I click my mouse a few extra times to be sure nobody changed my address or phone number, and that there are no new linked accounts. I know someone who says such tasks should be the vendor's responsibility, not mine, but who is more motivated to protect my assets than I?

Hope that helps.

PJW
[Edited twice to correct the incorrect "into" into the correct "in to." Gargh! ]

[BlueEars]

Hi PJW,
FWIW I have the most active financial accounts at about 3 institutions nowadays. Plus a few others that are not very active ones. So maybe we are not that dissimilar.

Some people have multiple accounts (401k's, IRA's, checking, CD's, stocks, bonds, ....) partly because their employers (current and previous maybe) required them to funnel money somewhere. It gets even messier if a spouse has to have additional accounts at even more institutions. After retiring I consolidated where possible. It's particularly important for portfolio management -- at least the way I do things.

[Phineas J. Whoopee]

Hi PJW,
... maybe we are not that dissimilar. ...

[bUU]

Some people have multiple accounts (401k's, IRA's, checking, CD's, stocks, bonds, ....) partly because their employers (current and previous maybe) required them to funnel money somewhere. It gets even messier if a spouse has to have additional accounts at even more institutions. After retiring I consolidated where possible. It's particularly important for portfolio management -- at least the way I do things.

When my mother passed away, I found her accounts scattered. Even within her investment accounts I found itty-bitty holdings, like 3 shares of Liberty Media and 2 shares of Discovery Communications. It was maddening to try to make sense of all of it.

What I'm finding is that as much as I try to consolidate, there are "forces at work" thwarting my efforts. First, current employers aren't necessarily cooperating by having my preferred brokerage host their 401(k) programs. Second, I'm concerned about old employee stock ownership programs - they go back before we got our financial records in order, and so we don't have a good read on just how much of a discount we got. If we liquidate them I would hope that the current brokerage will provide some useful information for determining cost basis, but if we transfer them to consolidate our holdings, how will we know how to declare the gains? Third, part of the inherited holdings were funds that seem to be non-transferable - funds that Fidelity doesn't (can't?) hold.

[jimkinny]

Many good suggestions.

I log onto my primary banking/credit card account daily. I do the same at Vanguard. Vanguard has a pending transaction function that I check, as well as my last log on at Vanguard.

I do this before the opening of business and just recently started doing this, because of the Apple security issue of several months ago. Human failure resulted in an Apple employee giving information to a person who called Apple, in order to hack some accounts. Not much you and I can do to prevent that.

Several years ago a NYT article suggested that if you are using one computer, to have a user with the administrator functions password protected. I use that user to go to the above two web accounts. I use another user to do my general browsing.

As suggested above, I use an email account only for these 2 accounts and other email accounts for everything else. I started doing this because of the Apple fiasco several months ago. I do not use anything close to real word answers to security questions.


jim

[BlueEars]

How about just slightly modifying security questions?

For example, for your first pet's name instead of just putting "fido" you add "usb" (for US Bank) to give "fidousb".
So this is unique and easy to remember.

[The Wizard]

The main problem with all these complex schemes is that once Alzheimer's kicks in, you'll never again be able to log into any of your accounts.
Periodic things already set up will continue, but that will be it.
Eventually, your survivors will get court orders forcing Vanguard to liberate your securely locked account, etc.

[Sbashore]

Another thing to consider is to use openDNS and download their dnsCrypt. It encrypts dns requests so they aren't sent in the clear and thus cannot be intercepted.

[Phineas J. Whoopee]

The main problem with all these complex schemes is that once Alzheimer's kicks in, you'll never again be able to log into any of your accounts.
Periodic things already set up will continue, but that will be it.
Eventually, your survivors will get court orders forcing Vanguard to liberate your securely locked account, etc.

Certainly a fair criticism. One chooses among the available options as best one can, and all have disadvantages.

PJW

[Mudpuppy]

What are some ways to prevent someone from getting into or stealing money from my bank and broker accounts?

First, you need to come to terms with the fact that you will never be able to absolutely, 100% prevent other people from stealing money from your accounts. There are just too many avenues for such fraud to have iron-clad prevention (short of not having bank accounts at all, but then what if someone steals your "mattress"). Once you have accepted this basic security precept, you can then get to work on devising a reasonable plan for both prevention AND recovery. You already have many good suggestions from others on prevention, so let's focus on recovery.

Your recovery plan starts with reading the financial institutions' policies and understanding the regulations relating to fraudulent transactions in the various types of accounts. You should only choose to do business with institutions that have solid coverage for their customers in the event of a fraudulent transaction. Next, you must monitor your accounts frequently to look for fraudulent transactions. If you find one, you must notify the financial institution immediately so that they can block further fraudulent transactions and begin an investigation. Finally, have a backup plan in case one account gets tied up in fraud investigation. In my case, I have accounts at two different local credit unions so if one is tied up in investigations, I can use the other to cover expenses until the investigation completes (which can take as long as 3-4 weeks depending on the type and severity of the fraud).